Facebook's 'Shadow Profile' Bug Proves We've Lost Control Of Our Data

contributing editor

June 24, 2013 // 01:33 PM EST

Copy This URL

Most Gen-Yers, the internet generation, gave up on protecting our online privacy a while ago, but some hold-outs take great pains not to share too much personal information, hoping to enjoy the fun and convenience of social networks and web 2.0 broadcasting without themselves across the grid. They want to have their cake without telling the baker where they live.

Clearly, that hope is in vain. Reuters reported Friday on a Facebook bug that revealed the social network not only knows the phone numbers and email addresses of millions of members who didn't deliberately provide the information, but Facebook has accidentally been sharing that information with other users.

While you can control what information you put on the internet, it increasingly looks like you can't control what others are providing about you—"for you"—or what web companies are doing with that data.

First, what happened. Facebook gets its hands on users' private contact information from other users "with some connection" to them when they input their contact lists. It stores this extra, off-site information in members "shadow profiles." Thanks to a bug in the system, for a year now, data from shadow profiles and regular profiles were accidentally combined, and Facebook users who downloaded an archive of their account data using the company's Download Your Information tool were shocked to find private information in the report that they had never provided and that, in some cases, was inaccurate.

The bug isn't the issue here. Yes, it exposed the phone numbers and emails for six million accounts, but considering more than a billion people have Facebook accounts, that's only 0.6 percent—a pretty minuscule chunk. The glitch was caught Friday by a security expert at Facebook and fixed within 24 hours.

The problem is, Facebook will still collect and store "shadow profile" information—it just won't accidentally include it in DYI reports anymore. Indeed, that fact is spelled out in the company's privacy policy:

We receive information about you from your friends and others, such as when they upload your contact information, post a photo of you, tag you in a photo or status update, or at a location, or add you to a group. When people use Facebook, they may store and share information about you and others that they have, such as when they upload and manage their invites and contacts.

People are pissed about the security flaw because of the potential implications. What is Facebook doing with the data in shadow profiles? The official answer is, "When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations," according to Facebook's pseudo-apology statement.

Is that it? Facebook also said in the statement that advertisers and developers don't have access to the DYI tool. But just because advertisers don't have direct access to that data, doesn't mean Facebook can't give it—or rather, sell it—to advertisers. According to the privacy policy, "We use the information we receive about you in connection with the services and features we provide to you and other users like your friends, our partners, the advertisers that purchase ads on the site, and the developers that build the games, applications, and websites you use" and "to measure or understand the effectiveness of ads you and others see, including to deliver relevant ads to you."

That's no secret. But "shadow" data—the information companies may be collecting by reading between the lines of our status updates and profile facts—makes it even more unnerving. For instance, a recent study showed that by analyzing “likes,” Facebook can tell if you’re gay, how you vote, and other sensitive topics, even if you don’t specifically give this information. Data miners are adding A and B to make C. What can they infer from what other people are saying about us? The "what ifs" are the scary part. What is Facebook able to do with your data? Or the government? Or a hacker? Or a cyberattacker?

What if next time, the security breach includes your credit card information? Your home address? What if you quit Facebook, or never joined in the first place, but they're still collecting data on you? This accusation was hurled at the company two years ago when it was suspected Facebook Ireland was creating shadow profiles for non-members based on information collected from other users. The company denied it, and a privacy audit in Ireland found no evidence of the practice. But what if?

The revelation that Facebook was accidentally sharing private data through extended social networks pokes holes in the "nothing to hide" defense causing many people to shrug off the NSA’s PRISM surveillance program. If web companies are compiling profiles with more data on you than you offer, and sometimes getting the data wrong, even those with nothing to hide can find themselves at the wrong end of an accusation.

Many of us are fine with giving Facebook nearly our entire life story, even putting our email address and phone number out there for all to see. Some of us aren't, and keep this information under lock and key. The point is, all of us want to feel like we have some semblance of control. Facebook’s latest scandal proves how much we don't.